On Wed, Feb 16, 2011 at 4:47 PM, Alexander Kapps <alex.ka...@web.de> wrote: > On 17.02.2011 01:00, GSO wrote: >> Having said that I'm possibly arriving at the conclusion that a quick >> perl script might be the simplest/easiest and most secure option - I >> read perl includes code to safely run suid perl scripts - will dig out >> my perl tomes. > > Not sure, but Perl is just another "scripting language" (hate that term) and > you cannot have scripts be SUID. > > I have almost no experiences with Perl, but I really doubt, that the general > problem would be solved with it.
It depends on what OS you're on: #1 On some OS's, setuid #! is an instant root - the script doesn't even need to run. In fact, the problem hinges on the script not running. #2 On others, setuid #! is safe. Or rather, safe if you write your script pretty carefully. #3 On still others, setuid #! doesn't change your access at all; it's just run under the uid that started the script. The perl folk have attempted to make #2 safer with their "taint" stuff (think "dataflow for user inputs to avoid invoking subshells with user inputted data"). There's not a lot they could do about #1 - perl doesn't really enter the picture there. And for #3, you still need a wrapper of some sort, otherwise your script doesn't change users. So yeah, whether you use perl or anything else invoked with #!, you're pretty much better off with sudo, or a tiny C wrapper that's so simple it's hard to get wrong. However, perl's taint feature would be useful irrespective when writing privileged code; it removes some of the skill required. -- http://mail.python.org/mailman/listinfo/python-list
